XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Modules Support forums / 
  3. Module usage questions 
  4.  / user.php deface/exploit ( 1.3 )
Register
1
Anonymous
user.php deface/exploit ( 1.3 )

  • 2004/2/16 12:55

  • Anonymous

  • Posts: 0

  • Since:


There is an exploit where a user can deface the login redirect page ( and put ANY VALID HTML there - think about it - ) through one of the fields during registration.

The fix for it is, in user.php, to replace line:

redirect_header($redir,1,sprintf(_US_LOGGINGU, $uname));

With:

$myts = &MyTextSanitizer::getInstance();
$uname_safe=$myts->makeTboxData4Show($uname);
redirect_header($redir,1,sprintf(_US_LOGGINGU, $uname_safe));

Yes I know makeTboxData4Show is deprecated, use the equivalent from the Sanitizer class

Yes I know that this defaces only their own redirect page, but think about it - it would also allow.....?
2
Jan304
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 13:51

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


I'm not sure what exactly you are meaning, or where, but if I understand this correctly it is in the login page.

But, as far as I know the login happens with a post request, and not get. So it cannot be called a 'x ss'. But then, if data is given with a get request, and register_globals is on, then still it will have no effect, since the data that will come out of the MySQL database will override your get data.

So at the moment what you are telling is not correct. But, I cannot be sure since I'm not behind my pc at home.

PS: You first speak about registration but then you show the code of a login definement...??
3
Anonymous
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 14:28

  • Anonymous

  • Posts: 0

  • Since:


OK, I will be clearer, I was trying to be vague to avoid giving instructions out as to how to do it.

If the user registers their username but embeds html code into it then when they log in the html code in their username will be parsed.

Register a username called "WibbleHi Im italic".

Login with it.

The reason I mentioned registration is that this is the only place an end user can enter bad data into that field.
4
Jan304
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 15:23

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


Ah, now it is getting clear to me. Did you know that is is preferable to notice the XOOPS team before releasing this to the public so people cannot make use of it?

And, in XOOPS 2.0.x, I'm unable to register a nickname with < or > in. You might wanne check System Admin - Settings - User Settings.
5
Anonymous
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 15:37

  • Anonymous

  • Posts: 0

  • Since:


1. Nope, hence why I was being deliberately vague but not so vague I didn't provide a patch, I was merely following the example set a few days ago by the lastposts module exploit notification and warning people. Secondly, security by obscurity etc, Ive found out about a number of exploits and fixing them by watching security advisory boards that provide explicity test cases to demonstrate security holes and how to patch them.

2. Ill check it out but I did say 1.3 and not 2.0.

So are you saying, that for XOOPS1.3 that you are still patching security defects? I thought it was now unsupported code hence you would not really be interested anyway in an exploit that could not work on 2.0 by design.

6
Jan304
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 17:21

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


So thx to GIJOE you are also posting this in the forum in place of warning the creator of it (in this case the XOOPS team).

And yes, as far as I know XOOPS version 1.3 is still getting updated, but only for security releases. So please, try to contact the XOOPS team.

FOR EVERYONE: DO NOT POST SECURITY RELATED ARTICLES ON THE FORUM BEFORE THERE IS A PATCH AVAILABLE...

Thx everyone for listening... Ofcourse this is only an advice :)
7
Anonymous
Re: user.php deface/exploit ( 1.3 )

  • 2004/2/16 17:26

  • Anonymous

  • Posts: 0

  • Since:


No, thanks to Kents example I am following the example of warning AND providing a patch at the same time.

Sheesh some people.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

155 user(s) are online (130 user(s) are browsing Support Forums)

Members: 0

Guests: 155

more...

Donat-O-Meter

Stats
Goal: AU$15.00
Due Date: May 31
Gross Amount: AU$0.00
Net Balance: AU$0.00
Left to go: AU$15.00
Make donations with PayPal!

Latest GitHub Commits